Privacy and legal

Health Services privacy policy

This privacy policy tells you what data we collect, why we collect it and what we do with it. You can also find information on the controls you have to manage your data within these pages.

 

Health Services division of AXA Health

We are the Health Services division of AXA Health.  The Health Services division is currently made up of 3 AXA Health companies – AXA ICAS Limited, AXA ICAS Occupational Health Services Limited and AXA PPP healthcare Administration Services Limited (to be renamed AXA Health Services Limited from May 2021). Over the coming months AXA Health Services Limited will become the Data Controller of information which was previously the responsibility of AXA ICAS Limited and AXA ICAS Occupational Health Services Limited. This is why you’ll see some overlap in the services below.

AXA ICAS Limited

  • Psychological Services
  • Proactive Health
  • ActivePlus

AXA ICAS Occupational Health Services Limited

  • Occupational Health Services
  • Musculoskeletal Services

AXA PPP healthcare Administration Services Limited (to be renamed AXA Health Services Limited from May 2021)

  • Psychological Services
  • Proactive Health
  • Occupational Health Services
  • Musculoskeletal Services

You have been directed to this notice either from a consent form, documentation you have received, an online service you have accessed, or by an AXA employee you have spoken to. This notice relates only to the companies and their services listed above and sets out details about how Health Services processes your personal information in relation to them; the companies are Data Controllers of your personal information (to the extent they each process your personal information) and they are each responsible for complying with data protection law. For the purposes of this privacy policy, references to “we” or “us” refer to these companies when they are providing you with the services listed above.  From time to time we may need to make changes to this privacy policy, for example, as the result of government regulation, new technologies, or other developments in data protection laws or privacy generally. You should check this page periodically to view the most up to date version.  

  

1. Our Privacy Principles

When we collect and use your personal information, we ensure we look after it properly and use it in accordance with our privacy principles set out below, keep it safe and will never sell it.

  1. Personal information you provide is processed fairly, lawfully and in a transparent manner
  2. Personal information you provide is collected for a specific purpose and is not processed in a way which is incompatible with the purpose for which we collected it
  3. Your personal information is adequate, relevant and limited to what is necessary in relation to the purposes we collected it
  4. Your personal information is kept accurate and, where necessary kept up to date
  5. Your personal information is kept no longer than is necessary for the purposes for which the personal information is processed 
  6. We will take appropriate steps to keep your personal information secure
  7. Your personal information is processed in accordance with your rights
  8. We will only transfer your personal information to another country or an international organisation outside the United Kingdom or outside the European Economic Area when we have taken the required steps to ensure that your personal information is protected. Such steps may include placing the party we are transferring information to under contractual obligations to protect it to adequate standards
  9. AXA UK and AXA Group companies do not sell your personal information and we also do not permit the selling of customer data by any company which provides a service to us
  10. We endeavour to be transparent and clear about the way we use your personal information

 

2. How do we collect your personal information?

Whilst there are a number of ways we collect your personal information, the two main ways are from things you tell us yourself, and from things we ask other people or organisations to share with us. Things you tell us could include information that you provide to us during conversations we have on the phone or face to face. We might also collect information about you from other people and organisations, such as your employer, other AXA Health companies, medical professionals (for example your GP), a treating specialist or physiotherapist in the form of a medical report. 

 

3. What personal information do we collect and how do we use it?

We may collect personal information, such as your contact details and medical information. Please note, in certain circumstances we may need to process a large volume of medical information in order to provide the service to you or a third party, for example your employer. The information may be sensitive and confidential in nature. Where we provide services on behalf of your employer, we will not share information without your consent. We mainly use your personal information to provide you with health-related services.

You will find a non-exhaustive list of the legal grounds under data protection law that we rely on for each use of your personal information below. 

Psychological and Musculoskeletal Services

We will process your personal information to provide psychological and musculoskeletal services.  

If you are accessing psychological services (Stronger Minds) or musculoskeletal services (Working Body) under your private medical insurance plan or your employer’s group scheme if you receive this service as a benefit, we’ll process your personal information to deliver these services. The main legal grounds are that the processing is necessary for the performance of a contract with you or to which you are a party, and that the processing is necessary for the purpose medical diagnosis, and the provision of health care or treatment.

Occupational Health

Your employer may instruct us to carry out health related services on health and safety grounds. The legal grounds for doing this are that the processing is in the legitimate interest of your employer and in some cases, depending on your occupation, your work colleagues and members of the public, and also that the processing is necessary for the purposes of preventative or occupational medicine. 

In respect of these psychological, musculoskeletal and occupational health services, we will always seek a valid clinical consent from you in order to process your clinical information, undertake health-related assessments and to share your information with third parties, for example your employer for occupational health purposes or a healthcare professional involved in your care for our other services. Our clinical consent processes are based on the General Medical Council (GMC) Confidentiality Guidance and the Faculty of Occupational Medicine’s Ethical Guidance, as well as laws such as the Access to Medical Reports Act 1988 (where applicable). Clinical consent is not the same as consent to process personal information under data protection law; we do not generally use consent as our legal ground for processing personal information under data protection law.  

ActivePlus

We may process your information to provide you with gym membership or to supply you with the products that you purchase or products that your employer makes available to you through ActivePlus. The legal ground for processing is that the processing is necessary for performance of a contract.

ActivePlus also asks for your marketing preferences for its own use and use by certain companies within the AXA UK group. Your personal information may be used for marketing purposes. The legal ground for doing this is that it is in AXA UK companies’ legitimate interest, having regard to your rights, for example, not to have your information used for this purpose (and if you have agreed to receive marketing, you can change your mind at any time by contacting us).  

Note: as with all provisions of health-related services, there would be other legal grounds used to process your information, for example:

  • To protect your vital interest or that of someone else
  • Within the context of a dispute or legal claim
  • Compliance with a legal obligation to which we are subject 
Using your information for Management Information purposes

We use your personal information to help us understand our business and monitor our performance. 

We may provide reports to your employer, or a parent company, for example about service utilisation and workforce health trends. These reports contain aggregated data to a level which means you cannot be identified. 

We may use your personal information collected from customer satisfaction surveys and where possible, we will anonymise such information. However, sometimes we may need to use your personal information. Where we do, we will obtain your consent beforehand where necessary.

Anonymising your personal information

When required, we anonymise personal information so that individuals cannot be identified, before we use it for management information and analysis of our products and services. Analysis of anonymous information provides us with insights about our business, and with opportunities to improve our products and services and the health and wellbeing of the people who use them. Analysis of anonymous information also allows us to demonstrate the value of the services we provide to our clients. The way that we anonymise personal information aligns with regulatory guidance and is achieved using different techniques, for example removing identifying data or overwriting it with randomised non-identifiable data.  

  

4. Who do we share your personal information with?

Who might we disclose your personal information to?

Disclosures within the AXA Group

In order to provide our services your personal information is shared with other companies in the AXA Group, for example for our general business administration and information technology purposes (for example, as part of the anonymisation process). It is also shared when we make changes to our Group company structure. 

Disclosures to third parties

We also disclose your information to the third parties listed below for the purposes described in this privacy policy. This might include:

  • Your relatives, guardians (on your behalf if  you are incapacitated or unable) or other people or organisations connected to you
  • Your current, past or prospective employers
  • Your medical, social and welfare advisers or practitioners 
  • Our third party clinical providers
  • Our third-party services providers such as IT suppliers, auditors, lawyers
  • Professional regulatory bodies for example the General Medical Council (GMC) and the Nursing and Midwifery Council (NMC)
  • The police, health and social care practitioners for the purposes of safeguarding (Health and Social Care Act 2012, Article 13, 2 (d))
  • Information Commissioners Office (ICO) UK, Office of the Information Commissioner (OIC) Jersey

Disclosure of your personal information to a third party outside the AXA Group will only be made when the third party has agreed to keep your information strictly confidential and to use it only for the specific purpose for which we provide it to them.

Processing outside the UK and the European Economic Area

Some recipients (within the AXA Group or external to it) may be in countries outside the UK and the EEA notably in (i) Switzerland, where AXA has a European Data Centre, and (ii) India, where some administration is undertaken. Where we make a transfer of your personal information outside the UK and the EEA we will take steps to ensure that it is protected. Such steps may include placing the party we are transferring personal information to under contractual obligations to protect it to adequate standards. 

5. How long do we keep records for?

We keep your personal information for as long as reasonably necessary to fulfil the purposes set out in this privacy policy and in order to comply with our legal and regulatory obligations. 

In most cases, we keep your information for between three and six years after our relationship with you ends, but this varies depending on what data we hold, why we hold it and what we’re obliged to do by the regulator or the law. 

 

6. Your Rights

You can ask us to do various things with your personal information. For example, at any time you can ask us for a copy of your personal information, ask us to correct mistakes, change the way we use your information, or even delete it. We’ll either do what you’ve asked, or explain why we can’t - usually because of a legal or regulatory issue.

Your Rights

You have a number of rights in relation to our use of your personal information;

The right to access your personal information 

You are entitled to a copy of the personal information we hold about you and certain details of how we use it.  There will not usually be a charge for dealing with these requests. Where you have made the request by electronic means the information will be provided to you by electronic means where possible.

The right to rectification

We take steps to ensure that the personal information we hold about you is accurate and complete. However, if you do not believe this is the case, please contact us and you can ask us to update or amend it. Please note that this does not give you a right to require that a clinician change their professional opinion should you disagree with it.  

The right to erasure:

In certain circumstances, you have the right to ask us to erase your personal information, for example where the personal information we collected is no longer necessary for the original purpose or where you withdraw your consent. However, please note that there may be some legal and regulatory obligations which mean that we cannot comply with your request.  

Right to restriction of processing:

In certain circumstances, you are entitled to ask us to temporarily restrict our use of your personal information, for example where you think that the personal information we hold about you may be inaccurate, whilst we investigate this or you may ask us to keep information on a restricted basis where we would otherwise delete it.

Right to data portability:

In certain circumstances, you have the right to ask that we provide you in machine readable format, or where feasible transfer to a third party, personal information that you have provided to us yourself. Once transferred, the other party will be responsible for looking after your personal information.

Right to object:

In certain circumstances, you have the right to object to processing of your personal information. You have an absolute right to object to use of your personal information for marketing purposes.

The right to withdraw consent:

For certain uses of your personal information, we will ask for your consent. Where we do this, you have the right to withdraw your consent to further processing of your personal information. Please be aware that clinical consent is not the same as consent under Data Protection law, so where we obtain a clinical consent this may be subject to different rules,  for example those set out by the General Medical Council, and this right may not apply.

You can make any of the requests set out above by using the contact details you have been provided with for our services or alternatively as set out in section 7.  

Please note that when you exercise your rights we may not be able to comply with your request for reasons such as our own obligations to comply with other legal or regulatory requirements. However, we will always respond to any request you make and if we can't comply with your request, we will tell you why.

Complaints

You have a right to complain to the data protection regulators at any time about the way we use your personal information. More information can be found at the following;

 

7. Contact Details of the Data Protection Officer

If you wish to contact the Data Protection Officer the details are below:

The Data Protection Officer (Health Services, AXA Health)
AXA Health
AXIS House
23 St Leonards Road
Eastbourne
BN21 3PX                 
email address: dataprotectionofficer@axahealth.co.uk  

 

8. Company Details for AXA 

AXA ICAS Limited 

AXA ICAS Limited trading as a division of AXA Health, is a private limited company incorporated in England and Wales with company number 02548573 and whose registered office is at 20 Gracechurch Street, London EC3V 0BG.

AXA ICAS Occupational Health Services Limited 

AXA ICAS Occupational Health Services Limited trading as a division of AXA Health, is a private limited company incorporated in England and Wales with company number 01336017 and whose registered office is at 20 Gracechurch Street, London EC3V 0BG

AXA PPP healthcare Administration Services Limited (to be renamed AXA Health Services Limited from May 2021)

AXA PPP healthcare Administration Services Limited trading as AXA Health, is a private limited company incorporated in England and Wales with company number 05961472 and whose registered office is at 20 Gracechurch Street, London EC3V 0BG.

AXA UK Group

Information about the companies in the AXA UK Group is available here

 

9. Health Services data privacy declaration

Your personal information can help us give you a better, more personalised service. But looking after that data is a big responsibility. We take our responsibilities seriously, so we’ve introduced internationally-recognised data privacy rules to protect you. We keep your data safe, confidential and will never sell it. And, if you ask us to, we’ll tell you exactly what information we have so you can be sure it’s up-to-date and accurate. 

Our commitment to safeguard personal information

We know that respecting the confidentiality of personal information is critical to preserving your trust and therefore have developed security procedures and we use a range of organisational and technical security measures designed to protect your personal information from unauthorised use or disclosure. We will always seek any required clinical consent to process your clinical information, undertake health-related assessments and to share that clinical information with third parties, for example your employer for occupational health purposes or a healthcare professional involved in your care for our other services. Please be aware that clinical consent is not the same as consent under data protection law, so where we obtain a clinical consent this may be subject to different rules, for example those set out by the General Medical Council.